GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
101
GitHub Actions
54
Go
4,296
Maven
5,000+
npm
5,000+
NuGet
1,029
pip
5,000+
Pub
13
RubyGems
1,116
Rust
1,492
Swift
61
Unreviewed advisories
All unreviewed
5,000+
33,218 advisories
Filter by severity
psd-tools vulnerable to arbitrary file write via smart-object filename
Moderate
CVE-2026-49836
was published
for
psd-tools
(pip)
Jul 9, 2026
sigstore-go has a multi-log threshold bypass via single compromised log
Moderate
CVE-2026-49834
was published
for
github.com/sigstore/sigstore-go
(Go)
Jul 9, 2026
Rattler vulnerable to package cache path traversal via conda package build string
Moderate
CVE-2026-53956
was published
for
py_rattler
(pip)
Jul 9, 2026
OpenRun: Redirect URL validation bypass using //host paths leads to Open Redirect
Moderate
CVE-2026-55252
was published
for
github.com/openrundev/openrun
(Go)
Jul 9, 2026
mint: Unbounded streams map growth via PUSH_PROMISE without follow-up HEADERS
High
CVE-2026-48862
was published
for
mint
(Erlang)
Jul 9, 2026
mint: Unbounded CONTINUATION/HEADERS frame accumulation (CONTINUATION flood)
High
CVE-2026-49754
was published
for
mint
(Erlang)
Jul 9, 2026
mint: Content-Length header accepts non-RFC "+" sign prefix
Moderate
CVE-2026-49753
was published
for
mint
(Erlang)
Jul 9, 2026
mint has potential CRLF injection in its HTTP request line via unvalidated `method`/`target`
Low
CVE-2026-48861
was published
for
mint
(Erlang)
Jul 9, 2026
pypdf: Possible infinite loop when processing threads/articles in writer
Moderate
CVE-2026-54651
was published
for
pypdf
(pip)
Jul 9, 2026
Sylius: IDOR on Shop Payment Request API endpoints
Moderate
CVE-2026-53639
was published
for
sylius/sylius
(Composer)
Jul 9, 2026
Sylius: Channel-based payment method restriction bypass on shop account orders API endpoint
Moderate
CVE-2026-53638
was published
for
sylius/sylius
(Composer)
Jul 9, 2026
Sylius: Cart FormComponent allows modification or deletion of an already-completed order
Moderate
CVE-2026-53637
was published
for
sylius/sylius
(Composer)
Jul 9, 2026
YesWiki has Unsafe eval() in its Formula Calculato, Leading to Remote Code Execution & Denial of Service
Critical
CVE-2026-52778
was published
for
yeswiki/yeswiki
(Composer)
Jul 9, 2026
YesWiki Vulnerable to Authenticated PHP Object Injection in BazarImportAction via unserialize
Critical
CVE-2026-52777
was published
for
yeswiki/yeswiki
(Composer)
Jul 9, 2026
YesWiki has Authenticated SQL Injection via ReactionManager
High
CVE-2026-52775
was published
for
yeswiki/yeswiki
(Composer)
Jul 9, 2026
YesWiki Vulnerable to Reflected XSS via Unescaped `id` Parameter in Bazar Widget HTML Attributes
Moderate
CVE-2026-52774
was published
for
yeswiki/yeswiki
(Composer)
Jul 9, 2026
YesWiki Vulnerable to Reflected XSS via Unescaped Archived-Revision `time` Parameter in `handlers/page/show.php`
Moderate
CVE-2026-52773
was published
for
yeswiki/yeswiki
(Composer)
Jul 9, 2026
YesWiki has stored XSS in Bazar form-field templates via unescaped field.label / field.hint (|raw('html'))
Moderate
CVE-2026-52772
was published
for
yeswiki/yeswiki
(Composer)
Jul 9, 2026
YesWiki: Second-Order SQL Injection in Page Delete API via Unescaped Page Tag (`ApiController::deletePage`)
High
CVE-2026-52771
was published
for
yeswiki/yeswiki
(Composer)
Jul 9, 2026
YesWiki: SQL Injection possible through public Bazar entry-listing APIs via numeric `query`/`queries` filters
High
CVE-2026-52770
was published
for
yeswiki/yeswiki
(Composer)
Jul 9, 2026
YesWiki has Unauthenticated Server-Side Request Forgery via ActivityPub `Signature.keyId`
High
CVE-2026-52769
was published
for
yeswiki/yeswiki
(Composer)
Jul 9, 2026
YesWiki Vulnerable to Unauthenticated ActivityPub Signature-Verification Bypass via `!openssl_verify(...)` accepting `int(-1)`
High
CVE-2026-52767
was published
for
yeswiki/yeswiki
(Composer)
Jul 9, 2026
YesWiki vulnerable to unauthenticated arbitrary page deletion via `{{erasespamedcomments}}` action
Critical
CVE-2026-52766
was published
for
yeswiki/yeswiki
(Composer)
Jul 9, 2026
YesWiki: SQL injection via the `recentchanges` action `period` argument leads to arbitrary DB read
Moderate
CVE-2026-52763
was published
for
yeswiki/yeswiki
(Composer)
Jul 9, 2026
YesWiki: Authenticated (Admin) Server-Side Template Injection to Remote Code Execution via Bazar Semantic Templates
High
CVE-2026-52762
was published
for
yeswiki/yeswiki
(Composer)
Jul 9, 2026
ProTip!
Advisories are also available from the
GraphQL API